From 864372000ee790e170fb9456e92f7bf28d9a52e1 Mon Sep 17 00:00:00 2001 From: Choongwoo Han Date: Tue, 9 Jan 2018 07:33:29 +0900 Subject: [PATCH] [csa] Fix type casing in GetProperty The checked node and used node were mismatched. It checked if "var_unique" is a string, but it used "key" which may not be a string. Bug: v8:4911, v8:7161, chromium:800077 Change-Id: Ia2aee8b77ac33500430365a4800bf9cca40a28fc Reviewed-on: https://chromium-review.googlesource.com/855138 Reviewed-by: Jakob Kummerow Commit-Queue: Jakob Kummerow Cr-Commit-Position: refs/heads/master@{#50435} --- src/code-stub-assembler.cc | 3 ++- test/mjsunit/regress/regress-crbug-800077.js | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-crbug-800077.js diff --git a/src/code-stub-assembler.cc b/src/code-stub-assembler.cc index 74c576e67e..885bbc9aa5 100644 --- a/src/code-stub-assembler.cc +++ b/src/code-stub-assembler.cc @@ -7134,7 +7134,8 @@ void CodeStubAssembler::TryPrototypeChainLookup( GotoIfNot(InstanceTypeEqual(holder_instance_type, JS_TYPED_ARRAY_TYPE), &next_proto); GotoIfNot(IsString(var_unique.value()), &next_proto); - BranchIfMaybeSpecialIndex(CAST(key), if_bailout, &next_proto); + BranchIfMaybeSpecialIndex(CAST(var_unique.value()), if_bailout, + &next_proto); } BIND(&next_proto); diff --git a/test/mjsunit/regress/regress-crbug-800077.js b/test/mjsunit/regress/regress-crbug-800077.js new file mode 100644 index 0000000000..13679073fe --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-800077.js @@ -0,0 +1,6 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +var sample = new Float64Array(1); +Reflect.has(sample, undefined);